Why It’s Vital For Users to Fund Open-Source Encryption Tools

We’ve been crowd-funding donations for several open-source encryption tools for two months now. We've discussed before why these tools are so important from a press freedom perspective, but we’ve also repeatedly heard one question from readers who have come across the campaign for the first time: “why should I contribute? I can already download these tools for free, and it’s unclear why my money is important.” So we wanted to explain a little further why it’s so critical for the public support these projects with donations.

Developing tools that are both cryptographically secure and usable is time consuming and expensive, and critically, the people who make them are at a steep disadvantage to both Silicon Valley start-ups and the surveillance industry. Nothing exemplifies this better than a comparison between WhatsApp and TextSecure.

WhatsApp vs. TextSecure

First, let’s look at WhatsApp, the popular app that Facebook purchased last week for a record $19 billion. WhatsApp really only has one purpose: to provide an easy-to-use texting service. To achieve this, it has about 50 employees, of which around 80% are developers and engineers. These engineers are likely paid top dollar for their work, making salaries ranging from $100-$250,000, and were also probably working for WhatsApp knowing that their company could be bought for billions of dollars one day.

WhatsApp may be unique in its selling price, but it is just one of countless similar start-ups in Silicon Valley—they all have millions in venture capital to attract dozens of the best professional developers each, whose sole job it is to create products that are ultra-usable for the non-technical user.

But WhatsApp is not an “end-to-end” encrypted service, meaning the company has the ability to gain access to the plain text of your messages if it so chooses. Security researchers have also shown how the encryption used by WhatsApp can be broken, so intelligence agencies and criminals could also gain access to your messages. In fact, the crypto weaknesses in WhatsApp have recently been called “the kind of stuff the NSA would love.”

Now look at one of the project we’re supporting, Open WhisperSystems that develops what is widely considered the best truly end-to-end encrypted texting application, TextSecure. Instead of 40 engineers working on their Android app like WhatsApp, they have two. They have just two other people—working only part time—on their yet-to-be released app for the iPhone. Like other similar projects, they cannot offer developers anything close to salary that a Silicon Valley start up can, and therefore have trouble attracting the developing talent needed to create a product used by the masses.

Despite the lack of funding, TextSecure is widely considered the best end-to-end encrypted application today, and was recently added into the default install of the CyanogenMod firmware used by ten million people. “We were already understaffed, but after the TextSecure V2 launch, we literally can't even keep up with the incoming email we get,” Moxie Marlinspike, the head of Open WhisperSystems, told us. “Enough funding to hire even one more person would dramatically transform what we're capable of.”

And for more on the great need for usability experts in developing online privacy tools, read this article by Gigaom's David Meyer.

Tor and Tails: In Need In Two Different Ways

Then you can look a tool like the Tails operating system, which has been vital for most, if not all, of the NSA journalists. Tails is an operating system that runs off of a USB or CD, never touches your hard drive, forces encryption whenever possible, and securely wipes on every shutdown. Its prime use case is journalists trying to communicate or work in environments in which they may normally be at risk or compromised. The NSA stories have been the biggest story in journalism in the past decade, yet the tool the reporters rely on is incredibly underfunded, is maintained by only a handful of developers, and operates on a shoestring budget.

Even the budgets of supposedly well-funded organizations like the Tor Project pale in comparison to what these Silicon Valley start-ups receive. Tor offers anonymous web browsing and is the most well-known of the open-source encryption tools available to the public. Often, Tor requires a lot of funding to maintain and speed up their main project, the Tor Browser Bundle, but funders are only interested in new features, and that often leaves the every day bug fixes, maintenance work, and making existing features more efficient underfunded and neglected.

SecureDrop, our open-source whistleblower system that is now active across at least six major news organizations (and with three more coming soon), relies on both Tails and Tor. SecureDrop also almost exclusively survives on users donating to support it or developers donating time to work on it. Imagine what we could do with a real budget as well.

This is just a taste of the uphill climb encryption tools have. We haven’t even discussed all of the actors who are actively trying to break these privacy tools, and funded at an exponentially higher rate to do so. The private surveillance industry is estimated at $5 billion per year and growing, and that number doesn’t even include what governments are doing with billions in intelligence funding internally.

So that’s where the public comes in. Whether you donate $10, $100, or $1,000 your donation will go along way. Not only can it help pay for vital features, but it sends a message to the rest of the public that these tools are worth fighting for.

Journalism organizations can contribute too. Since they are relying more and more on these tools, they can fund these open-source projects, or help in other ways, like other running Tor bridges or obsfproxies.